From Wireshark to data analysis

If you want to do well, you must first sharpen your tools! Familiarity with a tool is definitely helpful for future work. I will write a brief description of the use of Wireshark and my own thinking. If there are errors or shortcomings, please criticize and correct.

Category: Tag:

x01Wireshark introduction
Wireshark (formerly called Ethereal) is a network packet analysis software. The function of network packet analysis software is to capture network packets and display the most detailed network packet data as possible. Wireshark uses WinPCAP as an interface to exchange data messages directly with the network card. In the past, network packet analysis software was very expensive, or software that was specifically for profit. The appearance of Ethereal changed all of this. Under the scope of the GNUGPL general license, users can obtain the software and its source code for free, and have the right to modify and customize the source code. Ethereal is one of the most extensive network packet analysis software in the world.

Official website:

0x02Wireshark use
First download the corresponding software version from the official website according to your own environment, and install it in the next step. It is recommended not to install it on the C drive.

Then open Wireshark, you can see the network card information of the device, select the network card that needs to be captured and double-click it. Or press Ctrl+K and check the network card that needs to be captured. Generally, you will select WLAN and click Start to start capturing. From the flow waveform graph, it can be seen that the curved undulation indicates that there is flow, and the straight line indicates that there is no flow.

0x03Wireshark syntax
1. Filter MAC address

eth.addr == 00:71:cc:9a:28:93 //Filter packets whose destination or source address is 00:71:cc:9a:28:93

eth.src == 00:71:cc:9a:28:93 //Filter packets whose source address is 00:71:cc:9a:28:93

eth.dst == 00:71:cc:9a:28:93 //Filter packets whose destination address is 00:71:cc:9a:28:93

2. Filter VLAN == 1024 //Filter packets with VLANID 1024

vlan.id_name == yunzui //Filter packets with VLAN name 1024

3. IP filtering

//Source IP address filtering

ip.src ==

ip.src eq

//Destination IP address filtering

ip.dst ==

ip.dst eq

//IP address filtering. Regardless of source or target

ip.addr ==

ip.addr eq

4. Port filtering

tcp.port == 8888

udp.port eq 8888

tcp.dstport == 8888 // Only display the target port 8888 of the tcp protocol

tcp.srcport == 8888 // Only show the source port 8888 of the tcp protocol

//Filter port range

tcp.port >= 1 and tcp.port <= 8888

5. Common protocol filtering

tcp //Only display the data flow of TCP protocol

udp //Only display the data stream of UDP protocol

arp //Only display the data flow of the ARP protocol

icmp //Only display the data stream of the ICMP protocol

http //Only display the data stream of the HTTP protocol

smtp //Only display the data flow of SMTP protocol

ftp //Only display the data stream of the FTP protocol

dns //Only display the data flow of DNS protocol

Exclude HTTP packets, such as! http or not http

6, http mode filtering

http.request.method == “GET”

http.request.method == “POST”

http.request.uri == “/img/logo-edu.gif”

http contains “GET”

http contains “HTTP/1.”

// GET data packet

http.request.method == “GET” && http contains “Host: ”

http.request.method == “GET” && http contains “User-Agent: ”

// POST packet

http.request.method == “POST” && http contains “Host: ”

http.request.method == “POST” && http contains “User-Agent: ”

// HTTP request packet

http.request.method == “POST” && http contains “Java/1.8.0_121”

// HTTP response packet

http contains “HTTP/1.1 200 OK” && http contains “Content-Type: ”

7. Operator

less than: lt

less and equal: le

equal: eq

great then: gt

great and equal: ge

not equal: ne

8. Connector

and, or

Such as tcp.port == 8888 and ip.addr =

0x04 Wireshark function
1. Wireshark data packet structure

Line 1: The overall overview of the data package, with more content

Line 2: Data link layer detailed information, mainly mac address

Line 3: Network layer details, mainly the IP addresses of both parties

Line 4: Detailed information of the transport layer, mainly the port numbers of both parties

Line 5: TCP or UDP is the transmitted DATA, DNS is the relevant information of the domain name

2. Wireshark coloring rules

Click the coloring rule in the view in the menu bar to see

3. Statistical analysis of data packets

The protocol hierarchical statistics function can view the distribution of selected packet protocols, and can help analysts identify suspicious protocols and abnormal network applications to improve analysis efficiency.

Click on the protocol rating (P) in the statistics in the menu bar to see

In the Endpoints window, you can sort Bytes and Tx Bytes to determine the host with the largest bandwidth

Click Endpoints in statistics in the menu bar to see

In the Conversions window, you can see the number of packets sent/received between two hosts, the size of bytes, and the flow of data. You can also sort to determine the host occupying the largest bandwidth.

Click Conversions in the statistics in the menu bar to see

4. Track data flow

When analyzing the data flow of a certain packet, view it. You can select the data and right-click to select the tracking stream. There will be tcp stream, udp stream, ssl stream, http stream. Select the corresponding flow for which flow the data packet belongs to.

0x05 actual combat analysis
Offensive and defensive world intermediate data analysis questions

Topic: Hackers use wireshark to capture a traffic packet of the administrator logging in to the website (the administrator’s password is the answer). The flag submission form is flag{XXXX}

Download the topic data package, and analyze the data package according to the topic requirements

Extract topic keyword: website (HTTP) login (POST)

Open the corresponding data stream for packet filtering

http.request.method == “POST”

Track HTTP data flow and get the administrator password


0x06 summary thinking
As network security attacks and defenses become more and more fierce, full traffic analysis is particularly important. Extracting key information from massive amounts of big data is not only an attacker’s thinking, but also a required course for analysts.

Goose left traces! Wireshark captures the data stream from the whole process of TCP/IP protocol. It is a very good analysis tool. Only a few functions are introduced here. Friends who are interested can continue to study!




There are no reviews yet.

Be the first to review “From Wireshark to data analysis”

Your email address will not be published. Required fields are marked *